Governance, Risk Management, and Compliance blog

Five great tips for security officers with sole responsibility for information security

[fa icon="calendar"] Tuesday, 19 March 2019 / by Jakob Holm Hansen

All alone in the world. This is a feeling that many security officers with sole responsibility for information security can recognise as they are faced with more and more requirements for their compliance programme, without any extra resources to help them carry out their tasks. But never fear, for we are here to the rescue with five great tips to increase efficiency and help management to better understand information security.

More requirements on information security. Fewer hands to help do the work.

This is the reality for many small and medium-sized companies. Without understanding the details or scope of the task, both internal and external stakeholders expect full control of the compliance program at all times. But these expectations – and the ever increasing workload – rarely lead to the employment of more resources. 

Some of us may be tempted to call this the "all-alone-in-the-world syndrome". Security officers with sole responsibility for information security often feel that they have more tasks than they have time for. This is not just frustrating; it also exposes the company to an increased risk when the security officer does not have the full overview. 

Break out of the vicious cycle

Jakob Holm Hansen is the managing director. He explains that security officers with sole responsibility for information security often work themselves to the bone in order to keep up with their company's compliance programme. Yet their results are not glaringly visible, which means their efforts are rarely recognised.

"It can be difficult to show management that there is a need for additional support or other measures when the security officer doesn't have good overview of the compliance programme. Similarly, it's hard for management to release more resources to the compliance programme if they aren't entirely sure exactly where the money is going. And so, it quickly turns into a vicious cycle," says Jakob Holm Hansen.

Here, Jakob provides us with five great tips that can help security officers with sole responsibility improve their working conditions and better control their company's information security.

  1. Create structure
    Structure brings efficiency. This is true within many disciplines, and particularly when it comes to information security. Security officers can considerably improve their efficiency by following a compliance programme and organising their tasks in accordance with an order of priority.

  2. Delegate more tasks
    It may well be the case that there is only one security officer responsible for the information security within a company. But that doesn't mean that this security officer should have to perform all of the tasks. The main advantages of delegating tasks to colleagues are that information security managers can retain a good overview, and information security can be more securely anchored as a result of having several parts of the company involved in the compliance programme.

  3. Automated workflows
    Information security is an area that involves many repeat tasks that need to be performed at regular intervals throughout the twelve months of the year. Many of these workflows can be automated, which means important tasks won't be forgotten, you won't waste energy on developing manual routines or reminders, and it becomes possible to secure better documentation around what tasks have been completed.

  4. Visualise needs and progress
    As humans, we quite simply tend to understand things better when we can see them visualised as opposed to expressed as words or raw data. Visualisation promotes comprehension, and if we can visualise progress in the form of graphs or diagrams, or even set out our expected resource usage or anticipated schedule, it can help make the case for allocating more resources to the compliance programme.

  5. Engage management
    There can sometimes be a gap in communication between security officers and general management when it comes to talking about information security. Security officers often speak in technical terms, while general management talk in the language of business jargon. With the right reporting tools, security officers with sole responsibility can build bridges between the management and themselves in order to improve their circumstances and get the support they need for the compliance programme.


How to build an annual plan for information security

We recommend using an annual plan to organise your compliance tasks. An annual plan will among other things, give you complete overview of your tasks and make it easier to document your resource needs.

In our latest guide, we discuss how to go about creating an annual plan for information security in 5 simple steps.

Download the guide and get the recipe

How to build an annual plan for information security



Emner: information security, continuous compliance, annual plan

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts